组网需求
配置L3VPN迭代SR-MPLS TE隧道,保证相同VPN用户之间的安全互访。
配置思路
采用如下的思路配置L3VPN迭代SR-MPLS TE隧道:
骨干网上配置IS-IS实现PE之间的互通。
骨干网上使能MPLS,配置Segment Routing,建立SR-MPLS TE隧道,指定隧道的IP地址、隧道协议、以及目的地址等,路径计算采用显式路径。
PE上配置使能IPv4地址族VPN实例,并把与CE相连的接口和相应的VPN实例绑定。
PE之间配置MP-IBGP交换路由信息。
CE与PE之间配置EBGP交换路由信息。
操作步骤
步骤1 配置接口的IP地址。
# 配置PE1。
<HUAWEI> system-view
[~HUAWEI] sysname PE1
[*HUAWEI] commit
[~PE1] interface loopback 1
[*PE1-LoopBack1] ip address 1.1.1.9 32
[*PE1-LoopBack1] quit
[*PE1] interface gigabitethernet2/0/0
[*PE1-GigabitEthernet2/0/0] ip address 172.16.1.1 24
[*PE1-GigabitEthernet2/0/0] quit
[*PE1] commit# 配置P1。
<HUAWEI> system-view
[~HUAWEI] sysname P1
[*HUAWEI] commit
[~P1] interface loopback 1
[*P1-LoopBack1] ip address 2.2.2.9 32
[*P1-LoopBack1] quit
[*P1] interface gigabitethernet1/0/0
[*P1-GigabitEthernet1/0/0] ip address 172.16.1.2 24
[*P1-GigabitEthernet1/0/0] quit
[*P1] interface gigabitethernet2/0/0
[*P1-GigabitEthernet2/0/0] ip address 172.17.1.1 24
[*P1-GigabitEthernet2/0/0] quit
[*P1] commit# 配置PE2。
<HUAWEI> system-view
[~HUAWEI] sysname PE2
[*HUAWEI] commit
[~PE2] interface loopback 1
[*PE2-LoopBack1] ip address 3.3.3.9 32
[*PE2-LoopBack1] quit
[*PE2] interface gigabitethernet2/0/0
[*PE2-GigabitEthernet2/0/0] ip address 172.17.1.2 24
[*PE2-GigabitEthernet2/0/0] quit
[*PE2] commit步骤2 在骨干网上配置IGP协议,实现骨干网PE和P的互通。本例中以IS-IS为例进行说明。
# 配置PE1。
[~PE1] isis 1
[*PE1-isis-1] is-level level-2
[*PE1-isis-1] network-entity 10.0000.0000.0001.00
[*PE1-isis-1] quit
[*PE1] commit
[*PE1] interface loopback 1
[*PE1-LoopBack1] isis enable 1
[*PE1-LoopBack1] quit
[*PE1] interface gigabitethernet2/0/0
[*PE1-GigabitEthernet2/0/0] isis enable 1
[*PE1-GigabitEthernet2/0/0] quit
[*PE1] commit# 配置P1。
[~P1] isis 1
[*P1-isis-1] is-level level-2
[*P1-isis-1] network-entity 10.0000.0000.0002.00
[*P1-isis-1] quit
[*P1] commit
[~P1] interface loopback 1
[*P1-LoopBack1] isis enable 1
[*P1-LoopBack1] quit
[*P1] interface gigabitethernet1/0/0
[*P1-GigabitEthernet1/0/0] isis enable 1
[*P1-GigabitEthernet1/0/0] quit
[*P1] interface gigabitethernet2/0/0
[*P1-GigabitEthernet2/0/0] isis enable 1
[*P1-GigabitEthernet2/0/0] quit
[*P1] commit# 配置PE2。
[~PE2] isis 1
[*PE2-isis-1] is-level level-2
[*PE2-isis-1] network-entity 10.0000.0000.0003.00
[*PE2-isis-1] quit
[*PE2] commit
[~PE2] interface loopback 1
[*PE2-LoopBack1] isis enable 1
[*PE2-LoopBack1] quit
[*PE2] interface gigabitethernet2/0/0
[*PE2-GigabitEthernet2/0/0] isis enable 1
[*PE2-GigabitEthernet2/0/0] quit
[*PE2] commit步骤3 在骨干网上配置MPLS基本能力,使能MPLS TE
# 配置PE1。
[~PE1] mpls lsr-id 1.1.1.9
[*PE1] mpls
[*PE1-mpls] mpls te
[*PE1-mpls] quit
[*PE1] commit# 配置P1。
[~P1] mpls lsr-id 2.2.2.9
[*P1] mpls
[*P1-mpls] mpls te
[*P1-mpls] quit
[*P1] commit# 配置PE2。
[~PE2] mpls lsr-id 3.3.3.9
[*PE2] mpls
[*PE2-mpls] mpls te
[*PE2-mpls] quit
[*PE2] commit步骤4 在骨干网上配置Segment Routing,建立SR-MPLS TE隧道,指定隧道的IP地址、隧道协议、以及目的地址等,路径计算采用显式路径。
# 配置PE1。
[~PE1] segment-routing
[*PE1-segment-routing] quit
[*PE1] commit
[~PE1] isis 1
[*PE1-isis-1] cost-style wide
[*PE1-isis-1] traffic-eng level-2
[*PE1-isis-1] segment-routing mpls
[*PE1-isis-1] segment-routing global-block 16000 20000
[*PE1-isis-1] quit
[*PE1] interface loopback 1
[*PE1-LoopBack1] isis prefix-sid absolute 16100
[*PE1-LoopBack1] quit
[*PE1] commit
[~PE1] explicit-path pe2
[*PE1-explicit-path-pe2] next sid label 16200 type prefix
[*PE1-explicit-path-pe2] next sid label 16300 type prefix
[*PE1-explicit-path-pe2] quit
[*PE1] interface tunnel1
[*PE1-Tunnel1] ip address unnumbered interface LoopBack1
[*PE1-Tunnel1] tunnel-protocol mpls te
[*PE1-Tunnel1] destination 3.3.3.9
[*PE1-Tunnel1] mpls te tunnel-id 1
[*PE1-Tunnel1] mpls te signal-protocol segment-routing
[*PE1-Tunnel1] mpls te path explicit-path pe2
[*PE1-Tunnel1] commit
[~PE1-Tunnel1] quit# 配置P1。
[~P1] segment-routing
[*P1-segment-routing] quit
[*P1] commit
[~P1] isis 1
[*P1-isis-1] cost-style wide
[*P1-isis-1] traffic-eng level-2
[*P1-isis-1] segment-routing mpls
[*P1-isis-1] segment-routing global-block 16000 20000
[*P1-isis-1] quit
[*P1] interface loopback 1
[*P1-LoopBack1] isis prefix-sid absolute 16200
[*P1-LoopBack1] quit
[*P1] commit# 配置PE2。
[~PE2] segment-routing
[*PE2-segment-routing] quit
[*PE2] commit
[~PE2] isis 1
[*PE2-isis-1] cost-style wide
[*PE2-isis-1] traffic-eng level-2
[*PE2-isis-1] segment-routing mpls
[*PE2-isis-1] segment-routing global-block 16000 20000
[*PE2-isis-1] quit
[*PE2] interface loopback 1
[*PE2-LoopBack1] isis prefix-sid absolute 16300
[*PE2-LoopBack1] quit
[*PE2] commit
[~PE2] explicit-path pe1
[*PE2-explicit-path-pe1] next sid label 16200 type prefix
[*PE2-explicit-path-pe1] next sid label 16100 type prefix
[*PE2-explicit-path-pe1] quit
[*PE2] interface tunnel1
[*PE2-Tunnel1] ip address unnumbered interface LoopBack1
[*PE2-Tunnel1] tunnel-protocol mpls te
[*PE2-Tunnel1] destination 1.1.1.9
[*PE2-Tunnel1] mpls te tunnel-id 1
[*PE2-Tunnel1] mpls te signal-protocol segment-routing
[*PE2-Tunnel1] mpls te path explicit-path pe1
[*PE2-Tunnel1] commit
[~PE2-Tunnel1] quit# 配置完成后,在PE设备上执行display tunnel-info all命令,可以看到SR-MPLS TE隧道已建立。以PE1的显示为例。
[~PE1] display tunnel-info all
Tunnel ID Type Destination Status
----------------------------------------------------------------------------------------
1 sr-te 3.3.3.9 UP# 在PE1上使用Ping检测SR LSP连通性,例如:
[~PE1] ping lsp segment-routing te Tunnel 1
LSP PING FEC: SEGMENT ROUTING TE TUNNEL IPV4 SESSION QUERY Tunnel1 : 100 data bytes, press
CTRL_C to break
Reply from 3.3.3.9: bytes=100 Sequence=1 time=7 ms
Reply from 3.3.3.9: bytes=100 Sequence=2 time=11 ms
Reply from 3.3.3.9: bytes=100 Sequence=3 time=11 ms
Reply from 3.3.3.9: bytes=100 Sequence=5 time=10 ms
--- FEC: SEGMENT ROUTING TE TUNNEL IPV4 SESSION QUERY Tunnel1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 5/8/11 ms步骤5 在PE之间建立MP-IBGP对等体关系
# 配置PE1。
[~PE1] bgp 100
[~PE1-bgp] peer 3.3.3.9 as-number 100
[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[*PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit# 配置PE2。
[~PE1] bgp 100
[~PE1-bgp] peer 3.3.3.9 as-number 100
[*PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[*PE1-bgp] ipv4-family vpnv4
[*PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[*PE1-bgp-af-vpnv4] commit
[~PE1-bgp-af-vpnv4] quit
[~PE1-bgp] quit配置完成后,在PE设备上执行display bgp peer或display bgp vpnv4 all peer命令,可以看到PE之间的BGP对等体关系已建立,并达到Established状态。以PE1的显示为例。
[~PE1] display bgp peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 2 6 0 00:00:12 Established 0
[~PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
3.3.3.9 4 100 12 18 0 00:09:38 Established 0步骤6 在PE设备上配置使能IPv4地址族的VPN实例,将CE接入PE
# 配置PE1。
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[*PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*PE1-vpn-instance-vpna-af-ipv4] quit
[*PE1-vpn-instance-vpna] quit
[*PE1] interface gigabitethernet1/0/0
[*PE1-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE1-GigabitEthernet1/0/0] quit
[*PE1] commit# 配置PE2。
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv4-family
[*PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[*PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[*PE2-vpn-instance-vpna-af-ipv4] quit
[*PE2-vpn-instance-vpna] quit
[*PE2] interface gigabitethernet1/0/0
[*PE2-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[*PE2-GigabitEthernet1/0/0] quit
[*PE2] commit# 按图配置各CE的接口IP地址,配置过程请参见后面的配置文件。
配置完成后,在PE设备上执行display ip vpn-instance verbose命令可以看到VPN实例的配置情况。各PE能ping通自己接入的CE。
步骤7 在PE设备上配置隧道选择策略,优选SR-MPLS TE。
# 配置PE1。
[~PE1] tunnel-policy p1
[*PE1-tunnel-policy-p1] tunnel select-seq sr-te load-balance-number 1
[*PE1-tunnel-policy-p1] quit
[*PE1] commit
[~PE1] ip vpn-instance vpna
[*PE1-vpn-instance-vpna] ipv4-family
[*PE1-vpn-instance-vpna-af-ipv4] tnl-policy p1
[*PE1-vpn-instance-vpna-af-ipv4] quit
[*PE1-vpn-instance-vpna] quit
[*PE1] commit# 配置PE2。
[~PE2] tunnel-policy p1
[*PE2-tunnel-policy-p1] tunnel select-seq sr-te load-balance-number 1
[*PE2-tunnel-policy-p1] quit
[*PE2] commit
[~PE2] ip vpn-instance vpna
[*PE2-vpn-instance-vpna] ipv4-family
[*PE2-vpn-instance-vpna-af-ipv4] tnl-policy p1
[*PE2-vpn-instance-vpna-af-ipv4] quit
[*PE2-vpn-instance-vpna] quit
[*PE2] commit步骤8 在PE与CE之间建立EBGP对等体关系
# 配置CE1。
[~CE1] interface loopback 1
[*CE1-LoopBack1] ip address 10.11.1.1 32
[*CE1-LoopBack1] quit
[*CE1] interface gigabitethernet1/0/0
[*CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[*CE1-GigabitEthernet1/0/0] quit
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.2 as-number 100
[*CE1-bgp] network 10.11.1.1 32
[*CE1-bgp] quit
[*CE1] commit# 配置PE1。
[~PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpna
[*PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[*PE1-bgp-vpna] commit
[*PE1-bgp-vpna] quit配置完成后,在PE设备上执行display bgp vpnv4 vpn-instance peer命令,可以看到PE与CE之间的BGP对等体关系已建立,并达到Established状态。
以PE1与CE1的对等体关系为例:
[~PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:06:37 Established 1步骤9 检查配置结果
在PE设备上执行display ip routing-table vpn-instance命令,可以看到去往CE上的Loopback接口路由。
以PE1的显示为例:
[~PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole route
------------------------------------------------------------------------------
Routing Tables: vpna
Destinations : 7 Routes : 7
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0
10.1.1.2/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.1.1.255/32 Direct 0 0 D 127.0.0.1 GigabitEthernet1/0/0
10.11.1.1/32 EBGP 255 0 RD 10.1.1.1 GigabitEthernet1/0/0
10.22.2.2/32 IBGP 255 0 RD 3.3.3.9 Tunnel1
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0CE之间能够相互Ping通,例如: CE1能够Ping通CE2( 10.22.2.2)。
[~CE1] ping -a 10.11.1.1 10.22.2.2
PING 10.22.2.2: 56 data bytes, press CTRL_C to break
Reply from 10.22.2.2: bytes=56 Sequence=1 ttl=251 time=72 ms
Reply from 10.22.2.2: bytes=56 Sequence=2 ttl=251 time=34 ms
Reply from 10.22.2.2: bytes=56 Sequence=3 ttl=251 time=50 ms
Reply from 10.22.2.2: bytes=56 Sequence=4 ttl=251 time=50 ms
Reply from 10.22.2.2: bytes=56 Sequence=5 ttl=251 time=34 ms
--- 10.22.2.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms----结束。